Thycotic’s Cyber Security Publication

Data Privacy Day: Where has privacy gone, and will we ever get it back?

January 26th, 2018

Privacy is gone, but never forgotten. Can our current path even be reversed?

Yes, the end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, though one common thread is that privacy is becoming less of an option for most citizens, globally.

In the coming years, we are going to see major head-to-head debates between governments and citizens. It’s clear that governments hate not being able to spy on (monitor) people, and encryption is making it harder for governments to gather intelligence on the activities of other nations’ foes or allies, either for political advantage, economic advantage or espionage.

The term ‘If you have nothing to hide you have nothing to fear’ is becoming reality

In public almost everyone is being watched and monitored 24*7. Thousands of cameras use your expressions, fashion, walk, directions, interactions and speech to determine what you need, what you might be thinking, who you are going to meet, and who is nearby. Algorithms even determine what you next action might be. All of this is to help provide a custom experience—unique to everyone—as well as to predict and prevent security threats. The term “If you have nothing to hide you have nothing to fear” is becoming reality, and privacy will continue to disappear in 2018.

We’re getting to the stage where real life is mimicking the movie “The Circle”, where governments, cybercriminals, and hackers are watching and monitoring you everywhere you go. You may think you’re retaining a certain level of privacy, but someone near you is taking pictures of you, and someone near you is scanning the networks and devices you’re using.

Your privacy is determined by what’s around you—not by you

So, even though you may think that you are private, it’s the people and social network around you that will determine your privacy—not you.

Compared to the past we’ve lost all control over the level of privacy we have. For example, if you’re using Alexa your voice is being continuously recorded. You’re being recorded by devices that have cameras, 24/7. So the only area where privacy exists today is in your own mind.

Privacy today is maintained by what’s between your ears. But not for long…

In the future, governments, cybercriminals, and hackers won’t just be looking at the data on your phone, they’ll be reading your mind. The technology is available today to do that, so eventually even our thoughts won’t be private any more. Now, you could decide, in defense, to run around wearing a tinfoil hat, but it’s more likely you’ll create a place in your home that’s not just a hurricane shelter, it’s a privacy shelter.

Exploited humans are the weakest link in the cybersecurity chain

Technology alone can’t protect your identity or your sensitive information. Hackers and other threat actors target humans, seeking ways to trick them into giving up vital information unknowingly. They do this because it’s the easiest way to get at valuable data in a process known as social engineering. So it’s not surprising that exploited humans are the weakest link in the cybersecurity chain, and yet the best hope for preventing a cybersecurity disaster.

Remember, you are the front line in the battle to keep information secure. Attacks rely on your goodwill and trust to succeed, so you must become more personally responsible in how you manage your information, even though this can be tiring.

Best Practice Tips for Data Privacy Day

Instead of wearing a tinfoil hat or spending most of your time in your privacy shelter, here are some tips that will help you improve your privacy without going to the extreme. They can be easily implemented right away.

Limit Personal Identifiable Information on social media

Whether you are about to create a new social media account, or you already have an existing account, enter only the basic information required to get the account activated. Avoid providing excessive information that could put you at risk. Many social media services will tempt you to add more information like date of birth, home address, location details and mobile numbers to make it easier for other people to find you, but in fact this increases your cybersecurity risk, and cyber criminals can often find this information. If you have already added this information set it to hidden or remove it from your profile.

Enable privacy pettings and increase the default security settings

Many social networks are open by default, privacy is basic or turned off, and security is optional. Review what privacy and security options are available and enable them. Make your account less visible and make sure the security is sufficient for the data or services you plan to use the account for. If multi-factor authentication is available use it. I prefer using an Authenticator application like Google, Microsoft, Symantec, or Authy instead of SMS. Enable alerts and notifications on your accounts so you are warned of any suspicious activity, and also when someone attempts to tag you.

Use $tr0ng3r passwords and change them often

When choosing a password make it a strong password, unique to that account, and change it often. The average age of a social password today is years, and social media platforms seldom remind you how old your password is, how weak it is, or when it’s time to change it. Protecting your account is your responsibility, so protect it wisely.

If you have many accounts and passwords use an enterprise password and privileged account vault to make it easy to manage and secure them. Never use the same password multiple times. A password manager helps track the age of each password, lets you know what additional security controls have been applied, and helps generate complex passwords for all your accounts so you won’t have to type or remember them. You only need to remember one strong password, which reduces your cyber fatigue and makes your life both easier and more secure.

Do not use social logins, and limit use of application passwords

Where possible use unique accounts rather than logging in via a social login. If the social login gets compromised it means that cyber criminals could cascade to all the accounts using that social login.

Limit what you do over Public Wi-Fi, and use the following best practices

Better not use a public Wi-Fi network without VPN. Rather use your cell network (3G/4G/LTE) when security is important. When using public Wi-Fi ask the vendor for the correct name of the Wi-Fi Access point and establish that it has security before logging in. It is common for hackers to publish their own Wi-Fi SID with similar names.

Disable Auto Connect Wi-Fi or enable Ask to Join Networks. Hackers will use Wi-Fi access points with common names like “Airport” or “Cafe” so your device will auto connect without your knowledge. Do not elect to remember the Wi-Fi network.

Use the latest web browsers as they have improved security for fake websites. This prevents someone from hosting their own websites, like Facebook, waiting for you to enter your credentials.

Do not click on suspicious links—even via social chats—like videos that have your photo, and beware of advertisements that could direct you to compromised websites. Use a least privileged user or standard user while browsing, as this will significantly reduce the possibility of installing malicious malware.

Use a VPN service. Always assume someone is monitoring your data over public Wi-Fi. Do not access sensitive data like financial information over public Wi-Fi. Do not change your passwords, and beware of entering credentials, while using public Wi-Fi. If you have a mobile device with a personal hotspot function, use this over public Wi-Fi where possible.

Limit on how often you like a status post, follow a page or allow an application to access your social media profile:

When using social media on a daily basis be aware of the risks of liking and following pages, or allowing different applications to access your profile. Once access is granted most people don’t practice the good cyber hygiene required to clean up when the access is no longer required. Be aware that the information you provide is shared and unless you revoke it the application will continue to have access to your profile data—your name, email, address, likes and friends, etc. On occasion, go into your account and review what you have approved. Revoke any access that is no longer required.

Beware of emails containing images, links and attachments—proceed with caution

In order to capture information about what device and browser you use, your software versions, patch levels and more, hackers send you an HTML email containing a tiny image. Simply clicking on this email will download the image into your email client automatically, by default, unless you change your settings. And in downloading that image you share information that hackers can use to exploit your systems.

To prevent sharing information about your device and location, disable automatic image downloads in your email client. That way you control when to download images from incoming email.

Before clicking stop and think. Ask “Is this expected, valid and trusted?”

We are a society of clickers; we like to click on things like hyperlinks. Always be cautious of receiving a message with a hyperlink, and ask yourself if the message was expected. Do you know the person who is sending it? If necessary ask the person if they actually sent you a message before clicking on something which might be malware, ransomware, a remote access tool, or something that could steal or access your data. Nearly 30% of people will click on malicious links. We all need to be more aware and cautious. Before clicking, stop and think.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.